Computer Support Forum

AWOLA Removal and Your computer is infected! Popup continuous

Question: AWOLA Removal and Your computer is infected! Popup continuous

I am attempting to clean my in-laws computer but I have been unable to remove AWOLA spyware from their system. I have downloaded Ad-Aware and also followed the steps that you suggested and I am still seeing the yellow box pop-up and AWOLA will uninstall and then re-install itself. I have been unable to locate the original file only shortcuts. Also, I have not been able to do any Windows Updates on their system. PLEASE HELP!

Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-16 17:15:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 383 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:55 PM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Owner\Application Data\adgeq.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\AOL\114782~1\EE\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\D17U9L9F\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T3120
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...ys=DTP&M=T3120
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...ys=DTP&M=T3120
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T3120
O2 - BHO: (no name) - Software - (no file)
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Owner\Application Data\adgeq.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60...ad/ppcwebi.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7F4A2F-9490-4686-B910-07D6CCE9EE75}: NameServer = 85.255.115.75,85.255.112.109
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.75 85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.75 85.255.112.109
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

--
End of file - 5120 bytes

-- Files created between 2008-04-16 and 2008-05-16 -----------------------------

2008-05-16 17:15:51 0 d-------- C:\Program Files\Trend Micro
2008-05-16 16:57:58 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-16 16:57:51 0 d-------- C:\Program Files\SpywareBlaster
2008-05-16 15:12:46 0 d-------- C:\Program Files\Panda Security
2008-05-16 15:12:45 0 d-------- C:\WINDOWS\LastGood
2008-05-16 13:53:44 148 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-05-16 12:58:29 0 d-------- C:\Program Files\Lavasoft
2008-05-16 12:58:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-16 12:57:34 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 12:50:27 0 d-------- C:\WINDOWS\system32\?icrosoft.NET
2008-05-16 12:49:40 60928 -----n--- C:\WINDOWS\system32\roa.dll
2008-04-27 00:30:15 0 --ahs---- C:\Documents and Settings\Owner\Application Data\0000000000t.dat
2008-04-25 08:50:31 13824 --a------ C:\Documents and Settings\Owner\Application Data\adgeq.exe
2008-04-25 01:36:15 0 d-------- C:\Documents and Settings\Owner\Application Data\ScamBlocker
2008-04-24 11:53:23 0 d-------- C:\Program Files\?ymantec


-- Find3M Report ---------------------------------------------------------------

2008-05-16 17:02:10 33 --a------ C:\Documents and Settings\Owner\Application Data\install.ini
2008-05-16 14:28:29 0 d-------- C:\Program Files\PeoplePC
2008-05-16 14:25:40 0 d-------- C:\Program Files\Common Files\AOL
2008-05-16 14:25:37 0 d-------- C:\Program Files\Common Files\aolshare
2008-05-16 14:25:21 0 d-------- C:\Documents and Settings\Owner\Application Data\AOL
2008-05-16 13:35:53 0 d-------- C:\Program Files\Common Files
2008-05-16 13:34:25 0 d-------- C:\Program Files\QuickTime
2008-05-16 13:33:17 0 d-------- C:\Program Files\CyberLink
2008-05-16 13:33:16 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-16 13:26:57 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-16 1356 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-05-16 13:03:28 0 d-------- C:\Program Files\QdrModule
2008-04-26 16:48:41 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-04-24 11:53:23 0 d-------- C:\Program Files\?ymantec
2008-04-05 06:45:47 41724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-04-05 01:29:39 8268 --a------ C:\WINDOWS\system32\000060.exe
2008-04-05 01:29:14 270694 --a------ C:\WINDOWS\system32\000090.exe
2008-04-04 13:25:48 187904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-04-04 12:26:00 229527 --a------ C:\WINDOWS\system32\000080.exe
2008-04-04 1055 10240 --a------ C:\WINDOWS\system32\000070.exe
2008-03-23 15:50:45 0 d-------- C:\Documents and Settings\Owner\Application Data\Dealio
2008-02-21 12:31:04 47 --a------ C:\tmp.bat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
04/02/2008 01:03 PM 237056 --a------ c:\program files\peoplepc\toolbar\ppctoolbar.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A8FB8EB3-183B-4598-924D-86F0E5E37085}"= c:\program files\peoplepc\toolbar\ppctoolbar.dll [04/02/2008 01:03 PM 237056]

[-HKEY_CLASSES_ROOT\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{994D628D-4D22-4DB9-B6DB-F7D9F1635817}]
[HKEY_CLASSES_ROOT\PeoplePC.Toolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/18/2005 12:32 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [09/18/2005 12:32 PM]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [03/27/2006 11:57 AM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [09/26/2005 08:34 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [11/22/2004 12:18 PM]
"Microsoft Windows Adapter 5.1.3214"="C:\Documents and Settings\Owner\Application Data\adgeq.exe" [04/25/2008 08:48 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdamt.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Blubster]
C:\Program Files\Blubster\Blubster.exe SILENT

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1147821201\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"svcWRSSSDK"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"PrismXL"=2 (0x2)
"ose"=3 (0x3)
"NSCService"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"LiveUpdate"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"NVSvc"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74022fdd-c36f-11da-98d5-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc3e7da9-9a4e-11da-831d-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - RKPAVPROC



-- End of Deckard's System Scanner: finished at 2008-05-16 17:16:20 ------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:09 PM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Owner\Application Data\adgeq.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\AOL\114782~1\EE\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T3120
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...ys=DTP&M=T3120
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...ys=DTP&M=T3120
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...ys=DTP&M=T3120
O2 - BHO: (no name) - Software - (no file)
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Owner\Application Data\adgeq.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60...ad/ppcwebi.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7F4A2F-9490-4686-B910-07D6CCE9EE75}: NameServer = 85.255.115.75,85.255.112.109
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.75 85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.75 85.255.112.109
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

--
End of file - 4997 bytes

Relevance 100%
Preferred Solution: AWOLA Removal and Your computer is infected! Popup continuous

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: AWOLA Removal and Your computer is infected! Popup continuous

Hi, welcome to TSF!

If you still need assistance, please post a fresh main.txt log

1 more replies
Relevance 75.03%

Hi,

Earlier today I managed to get the Awola malware onto my computer. I have run Ad-Aware & Spybot S&D along with F-Prot anti-virus software. I have also ran Hijackthis! & removed the Awola line. I also ran a search of my computer files & removed all files relating to Awola. I have rebooted my computer & the annoying yellow triangle warning message continues to popup every 30 seconds. Could someone help to squash this pest?

Thanks in advance!
haroldff1082

Answer:Annoying "your Computer Is Infected!" Pop-up (awola)

Hello and welcome haroldff1082What antivirus procuct do you have installed and have you scanned with it in safe move.Please do this also Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop .. DO NOT run yet.Open SUPER from icon and install and Update itUnder Scanner Options make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.Now reboot into Safe Mode: How to start Windows in Safe ModeDouble-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox or Opera browser click it at the top and choose: Select AllClick the Empty Selected button.If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.NOW Scan with SUPEROpen from the desktop icon or the program Files listOn the left, make sure you check C:\Fixed Drive.Perform a Complete scan. After scan,Verify they are all checked.Click OK on the summary screen to quarantine all found items.If asked if you want to reboot, click "Yes" and reboot normally.To retrieve the removal information after reboot, launch SUPERAntispyware again.Click Preferences, then click the Statistics/Logs... Read more

3 more replies
Relevance 66.01%
Question: Awola Removal!!!!

I got infected with Awola and cant get it off. Thanks for you help.

Incident Status Location

Spyware:Application/Awola Not disinfected c:\documents and settings\kris\application data\awola\awola.exe
Spyware:Application/Awola Not disinfected C:\Documents and Settings\Kris\load.exe
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Kris\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe ... Read more

Answer:Awola Removal!!!!

Any suggestions on how to get rid of this. Plzzz my computer is crashing and i need help bad. Thanks

10 more replies
Relevance 66.01%
Question: Awola Removal!!!!

I have Awola virus on my computer and i cannot get it off. i have deleted the registry values and everything. I ran spybot s&d and ad-aware. Please help in any way you can. Thanks.

Answer:Awola Removal!!!!

help plzzzz, i can barely use my computer with it this bad. thanks

2 more replies
Relevance 66.01%
Question: awola removal

My brother-in-law has managed to install awola and now I have to get rid of it. Any ideas? He lives 60miles away and is techno-phobic.

Answer:awola removal

click here

10 more replies
Relevance 66.01%
Question: Awola Removal

dealt with AWOLA removal today. here are the following steps used to remove it:

0. DISABLE System Restore.

1. download, install and update Malwarebytes AntiMalware removal tool.
http://www.malwarebytes.org/

2. reboot your system into Safe Mode with networking.

3. verify that you have the latest update of Malwarebytes by performing the update again.

4. perform a FULL SCAN with Malwarebytes and, after the scan is complete, remove all items in the list.

5. perform a search on your computer for the following:
*awola*.*
this will search for ANY file in your system with the word 'awola' anywhere within its name, regardless of the file extension. DELETE any 'awola' files.

6. open the registry (ie. regedit) and do a search for 'awola' and remove any items you find.

7. perform another scan with Malwarebytes to be certain your system is clean.

8. restart your system.

if anyone has comments, please share them.
 

More replies
Relevance 65.19%

After reviewing the forums I have found that I have a common issue as others do. I have the same Windows balloon pop-up and when clicked it will install the fake AWOLA anti-spyware. I have already followed the steps required to generate logs and I am posting them now. Could someone please provide me with any additional help to remove this malware from my system and thank you in advance.
 

Answer:AWOLA virus removal help

Welcome to Major Geeks!

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Do you use MusicMatch Jukebox?

You need to go back and follow the instructions in step 1 of the READ ME for MSconfig. You must not use MSconfig to control any startups or services. Select Normal Startup mode and remain in that state.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 12
Java 2 Runtime Environment, SE v1.4.2
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_4\bin\jusched.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O17 - HKLM\System\CS2\... Read more

3 more replies
Relevance 65.19%

I'm in an identical situation to another post. I'm not sure though if the response to other post was based on the reports or not. So, like the other guy:

Ran all the "READ & RUN ME FIRST" (Win XP) steps. Still have popups from yield sign in tray that say "Your computer is infected!" Also still have Awola Anti-spyware that either Spybot S&D or AVG had detected, and I thought, deleted.

Thank you so much for this forum!! Just let me know if I should simply follow what the other thread described.
 

Answer:AWOLA antispy and "Your Computer is Infected"

Hi kilgore!
I'll take a look at your logs and get back to you. This takes some time, so thanks for your patience. Please don't use your computer too much until we're sure it's clean.
abri
 

14 more replies
Relevance 64.78%

My PC is infected. A program "MS Removal Tool" pops up when I boot and scans my computer and then asks if I want to remove the threats. It has blocked my viris software from running. I followed the Bleepingcomputer Forum preparation guide and ran DDS.txt and have attched attach.txx and ark.txt Logs to this topic. I am posting them here. Please help.Thank you.DDS.DDS (Ver_11-03-05.01) - NTFSx86 Run by Robert at 18:02:41.05 on Sun 04/24/2011Internet Explorer: 8.0.7600.16385Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3574.2324 [GMT -4:00].AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSc:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k Netw... Read more

Answer:Infected with "MS Removal Tool" Popup "scans PC"

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Please take note:If you have since resolved the original problem you were having, we would appreciate you letting us know. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these characteristics just post what you can and we will guide you.Please tell us if you have your original Windows CD/DVD available.If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply'... Read more

16 more replies
Relevance 63.96%

Ran all the "READ & RUN ME FIRST" (Win XP) steps. Still have popups from yield sign in tray that say "Your computer is infected!" Also still have Awola Anti-spyware that either Spybot S&D or AVG had detected, and I thought, deleted.

Attached Combofix and MGTools logs. AVG had no report to save even though I had "Automatically generate report after every scan" checked and "Only if threats are found" unchecked. The only thing AVG found was 9 cookies.

Thanks.
 

Answer:"Your computer is infected!" & Awola

Hi cee3!
Welcome to Major Geeks!

I'm looking at your logs.
abri
 

8 more replies
Relevance 63.55%

HelloI'm new to this website and in desperate need of help. This virus is actually giving me anxiety and I'm starting to have chest pains. I'm such an idiot! I downloaded a suppossed video codec from a link that was hosted by cnn (so I thought it was trusted) and it downloaded a file titled "install_player3913012" And ever since then a popup comes up and says: your system has been infected with a dangerous file ...download this spyware removal tool or malicious files will be lost. Obviously I don't ever download it.I followed preparation guidelines but it took forever! I don't believe Housecall was able to complete. And also my Norton Antivirus says it's unable to access the engine to complete a scan. I want to reinstall but I'm scared to do so without your input first.And worse off!! I just found out while writing this post that it must be messing with my keyboard because as i am trying to type, the cursor automatically goes back 1 space and places the letter there. I had to edit this post for it to be spelled correctly. I can't go on like this. To get a better idea of what I mean I'll show you what it does if I don't edit it:Helo Iam hving trouble wthm cmputerand I' aking bleeping copter.com to help m because i dot know wher else to turn .eneutmm oy ia lTHIS HAS NEVER HAPPENED BEFORE, I AM POSITIVE IT IS BECAUSE OF THAT DOWNLOADed virus.Please, kindly extend your help to me. I live on my computer and I am absolutely paralyzed in my professio... Read more

Answer:Popup: "your System Has Been Infected...download This Spyware Removal Tool"

Hello and Welcome to Bleeping Computer. I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today. Please give me some time to analyze your log, and I will post back with instructions ASAP.

5 more replies
Relevance 62.73%

hello guys/gals:



here with my computer again. it now has a phony anti-virus software on it "awola" the computer has been taken over, no task manager, no wallpaper, random shut downs, constant "warning" pop ups, i cant do anything anymore......


please help thanks


here are the logs:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 18:02:31.03 on Mon 04/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.500 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\awolaantispy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\iTunes\iTune... Read more

Answer:AWOLA has infected my system

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please explain why this computer has no antivirus program installed and running. This is an open invitation for infection.

It can take as little as eight seconds to infect an unprotected computer.

Please keep this computer offline except when downloading tools and posting in the forum until we get one installed. Let me know your intentions for an antivirus program.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs ... Read more

2 more replies
Relevance 62.73%

I have a simular issue to other but I dont see a common fix - HELP!

I've ran all the programs you recommended. Here are the logs.

This virus puts a yellow bang in my tray and states i've been infected. After closing the message a few times it launches Awola.

I belive it hit me 2 weeks ago.
 

Answer:Awola virus has infected my pc

More files attached.
 

10 more replies
Relevance 62.73%

Hi, my mother recently infected her PC with AWOLA, and ever since, everything has been running much worse. I've tried to use previous posts / fixes, but to no avail. I've included the DSS report below. Thank you so much.

Deckard's System Scanner v20071014.68
Run by sconstan on 2008-02-01 14:59:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-01 14:59:34
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Progress\OpenEdge\bin\admsrvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft SQL ... Read more

Answer:Older PC Infected with AWOLA, Please Help

Bump. Thanks again.

8 more replies
Relevance 62.73%

Hi there, I believe my computer was recently infected by the Awola Virus / Trojan, and I could really use some assistance. I thank you in advance for any suggestions and help, they are appreciated. I'll put up a detailed description here of what's happened so far, and can certainly provide any additional information that may be required. My computer knowledge is okay, but very limited in terms of spyware and troubleshooting complex problems like this one.

Operating System = Windows XP

A couple of days ago I was doing some stuff online at 7:45pm, preoccupied and in somewhat of a rush. I got a popup menu that a trojan had been found, I assumed it was from my McAfee Security Centre (as this has happened several times before) but I didn't really look at it that closely, and selected okay (I think). I then started to receive a bunch of popups about Spyware, and Awola spyware removal program. I kept closing them because I was in a rush, didn't really look that closely, thought it was just ads and may very well have clicked something I shouldn't have. I did see the Awola Program box come up at one point and I thought I attempted to close it, but I may have clicked on something inadvertently.

Upon rebooting later, I realized that the computer was probably infected. I cannot click or open any application, by double-clicking an icon or program name I always receive the same error message (tailored to whatever application I attempted to open). A black empty box a... Read more

Answer:Infected By Awola 6.0 And Could Really Use Some Help Removing It

if you have not already done so you could try the superantispyware program?http://www.superantispyware.com/superantis...efreevspro.htmldownload it fromhttp://www.superantispyware.com/downloadfi...ANTISPYWAREFREErun the installation program and start the program from the desktop icon; fully update the definitions , reboot the computer into safe mode if it will let you , then run superantispyware from the desktop icon on a full computer scan when the scan is complete, reboot your computer into normal mode, and come back and post the log report you should find by opening the program and go to preferences/statistics.logsleft mouse click on the most recent entry, click on 'view log' and copy and paste that report into here for examination so folks can see what help you may need

30 more replies
Relevance 61.91%

This is definitely not an anti-spyware program. It opens a window off the toolbar disguised as a Windows security update. It warns, "Your computer is infected! Click here to protect your computer...". The balloon does not go away. It worked its way onto the computer uninvited. I've followed all the procedures listed in the Preparation Guide but to no avail. Please help. Thanks for your time and expertise. Here's the hijack log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:35:13 PM, on 8/31/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exeC:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\acs.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Apple\M... Read more

Answer:Infected With "awola Anti-spyware 6.0"

Welcome to the BleepingComputer HijackThis Logs and Analysis forum rosevilledad My name is Richie and i'll be helping you to fix your problems.Your version of Sun Java is out of date.Older versions have vulnerabilities that malware can use to infect your system.Please follow these steps to remove older versions of Sun Java,and then update.1. Download the latest version of Java Runtime Environment (JRE)2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.3. Click the "Download" button to the right.4. Check the box that says: "Accept License Agreement".5. The page will refresh.6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.7. Close any programs you may have running - especially your web browser.8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.10. Click the Change/Remove button.11. Repeat as many times as necessary to remove each Java versions.12. Reboot your computer once all Java components are removed.13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.Download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:... Read more

7 more replies
Relevance 61.91%

Hi there. I believe I contracted a virus / trojan through Awola 6.0 a few weeks back. I started a thread in the 'Am I Infected' section, here's the link for that full thread: http://www.bleepingcomputer.com/forums/t/143729/infected-by-awola-60-and-could-really-use-some-help-removing-it/Long story short, I believe this virus was contracted on Wednesday, April 23 around 745pm. My operating system is Windows XP. Whenever I double-click on any .exe file I get an all-black window, and a little window above it with an error message similar to this: "16-bit MS-DOS SubsystemC:\Documents and Settings\All Users\Desktop\Winamp.InkThe NTVDM CPU has encountered an illegal instruction.CS:054d IP: 013d OP: f0 85 38 90 3a Choose 'Close' to terminate the application." I can right-click certain programs and select "Run As" to use them, but can't double-click on anything. I also think this virus has taken over Administrator duties, changed my registry and is preventing me from properly installing programs. It was also preventing me from running anti-virus scans, but I believe we have found a way around this, and I was finally able to process a scan with DSS (and Hijack This). I also did a scan using the Kaspersky scanner. I will copy and paste all logs below. Thanks in advance for all your help. HIJACK THIS MAIN.TXTDeckard's System Scanner v20071014.68Run by Mania on 2008-05-19 22:51:49Computer is in Normal Mode.---------------------------------------------------------------------------------- ... Read more

Answer:Infected With Awola 6.0 Virus / Trojan

HelloApologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.Thanks and again sorry for the delay.Please download Deckard's System Scanner (DSS) and save to your Desktop.alternate download siteDSS will do the following:Create a new System Restore point in Windows XP and Vista.Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.Check some important areas of your system and produce a report for an analyst to review.Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.You must be logged onto an account with administrator privileges when using.Close all applications and windows.Double-click on dss.exe to run it and follow the prompts.If your anti-virus or firewall complains, please allow this script to run as it is not
malicious.When the scan is complete, two text files will open in Notepad:main.txt <- this one will be maximizedextra.txt <- this one will be minimizedIf not, they both can be found in the C:\Deckard\System Scanner folder.Please copy (Ctrl+C) and paste (Ctrl+V) the c... Read more

18 more replies
Relevance 61.91%

Ive had this infection for sometime. Tried a bunch of methods from computerforum but still cant finish the virus off. I constantly get CID popups and on my moms guest account she has this annoying AWOLA popup that appears to say its an anto virus program. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:31:45 PM, on 5/10/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Ulead Systems\D... Read more

Answer:Badly Infected With Cid Popups And Awola

also in my c: folder I have like 200 TMP files that look like pos1A2F.tmp what are these??

3 more replies
Relevance 58.63%

Ok when we start the computer, it has a popup that says "Windows Explorer has stopped working.  Windows is chekcing for a solution to the problem".  It vanishes only to reappear.  I can't get into any folders to do ANYTHING to try to fix.  We've rebooted and husband tried a system recovery.  Any help would be MUCH appreciated.  Thanks!

Answer:weird continuous popup

Same in Safe Mode?When did it start?Any recent changes to your computer?

3 more replies
Relevance 58.63%

I just got this laptop for school and I love it, but the continuous messages that popup are driving me crazy. It asks if a certain program can continue. Usually I am the one who clicked on the program or site or whatever and yes I want it to continue! Is there a way to stop these messages? It gets really annoying and wastes my time.
 

Answer:continuous popup messages

What program are you trying to run and you get the UAC question?
 

2 more replies
Relevance 58.22%

Hello,My wife was on the computer last evening and picked up a bug. I can't log in to safe mode at all. I get a warning message that the logon.exe is not available. The background for my workspace is changed to "Your system is infected! the system has been stopped due to spyware. I need to get spyware to continue." I have mbam installed on the system but am not able to use it. I also have Superantispyware installed. With bitdefender antivirus 2009 and use zone alarm firewall. Working with it I have gotten the pop up to go away, but still no luck with trying to get computer to log into safe mode. I have win xp sp2 installed I am attaching my last HJT log as this atm is my only program I can run. I don't have internet with the corrupted computer. I am looking for some help with this.Thanks[attachment deleted by admin]

Answer:I got the Your computer is infected popup

check the following:This is probably what is stopping you from using Safe mode:F2 - REG:system.ini: Shell=Explorer.exe logon.exeuserinit is a windows component; sdra64, on the other hand, is a trojan.F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,D:\WINDOWS\system32\sdra64.exe,this isn't necessarily a threat but there's no reason for it to be there:O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)"winupdate" is not a windows component. (windows update is performed by a process called wuaclt, if memory serves me)O4 - HKLM\..\Run: [winupdate.exe] D:\WINDOWS\system32\winupdate.exeO15 - Trusted Zone: http://wow.allakhazam.comO20 - Winlogon Notify: yayyVMdc - yayyVMdc.dll (file missing)and click "fix checked"Also, try using the mbamrenamer tool, here, or rename the malwarebytes shortcut and program file yourself, (as you have for hijackthis) and see if that let's you run it; or after fixing the items with hijackthis see if you can reboot into safe mode and run MBAM from there.

11 more replies
Relevance 58.22%

I have a popup that keeps saying that the computer is infected, cannot remove it with spyware removal, ran winpfind, results are below. New at this, can someone help?

by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

????????????????? Windows OS and Versions ???????????????????????????????
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

????????????????? Checking Selected Standard Folders ????????????????????

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 5/5/2006 7:39:36 AM 39424 C:\WINDOWS\mtuninst.exe

Checking %System% folder...
PEC2 8/4/2004 2:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 4/10/2006 1:00:34 PM 555824 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 6/8/2006 8:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 6/8/2006 8:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:00:00 PM 7080... Read more

Answer:Popup That Says Computer Is Infected

How To Remove Spyfalcon (removal Instructions)

1 more replies
Relevance 58.22%

I'm working on a Toshiba laptop with XP/SP2. Recently was on the net when I got a popup from Pest Control saying that my computer was infected and that I should clean up using their program. Since this isn't my laptop, I just assumed that this was a program she had installed and wanted used. SOOOO....I went ahead and did their scan. They "found" 101 infections and of course to clean them all I had to do was to purchase their $39.95 program. At that point I realized too late that I was being scammed. Ran a windows defender and MacAffee scan which both showed no problems.My real problems began soon after. I began to have Pest control simply popup and begin running in the middle of any internet activity. Two red balls with Xs appeared in my Taskbar and most annoyingly continuously have a popup saying " /!\ Your computer is infected!Windows has detected spyware infectionIt is recommended to use special antispyware tools to prevent data loss.Windows will now download and install the most up-to-date antispyware for you.Click here to protect your computer from spyware"When I tried to remove Pest control via Add/Remove Programs, I would get a notice saying that the program could not be removed until it was closed. Since I was not overtly running it, it was obviously hiding out in the background. I then disabled it from the startup menu and was subsequently able to delete it.Although the actual Pest Control program no longer pops up, I still have ... Read more

Answer:"your Computer Is Infected" Popup

Hello mpetrodoc! My name is Charles and I will be dealing with your log today. Please take note of the following: I will start working on your Malware issues, this may or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for this issue on this machine The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. If you don't know, stop and ask! Don't keep going on. Please reply to this thread. Do not start a new topic.Please give me some time to look over your log and I will get back to you as soon as possible.Thanks,Charles

9 more replies
Relevance 58.22%

Hi,

I'm new to these forms so let me know if I need to do this differently. I had a "infected computer" pop up so I found your Malware Removal instructions and have spent the past couple of days going through the procedures. These seeme to have solved my problemso far bu was wondering if you could take a look at my logs when you have time to see if there is anything else I should do.

I'm running XP Pro SP2 with Live OneCare for Virus/spyware protection. (What is your opinion on this program?)

The programs I ran removed and/or qurantined spyware and a Trojan virus. I think you will see this in the reports. Can I delete the quarantined items?

The Counterspy report actually has three different scans in it.

I will put the last three reports in next post.

Thanks for your help.
 

Answer:Your computer is infected popup

Here are the other three reports.

Thanks
 

13 more replies
Relevance 58.22%

Hello;
I am getting a Popup in the lower right hand corner of my screen entitled "Your Computer is infected" (including a yellow triangle with an exclamination point). It is telling me to "Click here to protect your computer from spyware". Discussion groups online say that this is mailware so I have not clicked on it. It will not go away. I updated Symantic Anti Virus 10.1.4.4 and ran a full system scan. I ran Ad-Aware 2007 and AVG Anti-Spyware in Safe Mode. The Popup still appears. I am running Window XP Professional Version 2002 with Service Pack 2. Any assistance you can give me would be greatly appreciated.

Thank you;
george27

Answer:"your Computer Is Infected" Popup

http://www.bleepingcomputer.com/forums/f/55/spyware-and-malware-removal-guides-and-reading-room/there are a lot of nice self-help guides here by Grinlerknowing which one of the rogues you have is the tricky part

1 more replies
Relevance 58.22%

There is a thread on the first page from JoeofDoom describing almost the exact same problems that I am having with popup ads from IE, some of which include audio. I'll be on my bank's website and then when I leave, a whole new browser opens with a popup ad about my bank! Makes me very nervous...

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:40:12 PM, on 3/15/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\VERIZONDM\bin\sprtcmd.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Gamevance\gamevance32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program... Read more

Answer:computer infected - popup ads everywhere!

10 more replies
Relevance 58.22%

Hello,
 
I am looking for some help to get address an Avast alert message that the web shield appears to be blocking access to a harmful webpage or file about 3-4 times a minute.  The standard virus scan Avast offers (I only have the free version), Malwarebytes and Spybot S&D don't seem to address the problem.  Can you help guide me through a troubleshooting and removal process?
 
Josh

Answer:Avast URL: Mal Continuous Message Popup

Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeList Restore PointsClick Go and post the result. Please download Malwarebytes Anti-Malware to your desktop.NOTE. If you already have MBAM 2.0 installed scroll down.Double-click mbam-se... Read more

33 more replies
Relevance 58.22%

Hi,
A continuous pop up of Windows AV2009 seems to have started all the problems. I also noticed that a Windows Security Alert button was added to my tray, telling me that my Automatic Update was turned off. After trying all the suggested fixes for turning it on, the Update still remains off. An error message, "Automatic Update Error 1058" was received.
I did a virus scan with Trend Micro and found Troj-VUNDO.DHY on 3 files that could not be cleaned, so were deleted. System seems to be constantly running / working, everything is loading slow and startup is taking much longer than normal.
System is a Dell 4600 running XP Professional version 2002, service pack 3, Pentium4, 2.40GHz, 1.00GHz RAM
Any suggestions would be much appreciated.
Thanks very much.
Here is the Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:35 PM, on 12/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\PixArt\PAC7311\Monitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\V0330Mon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1204090616\ee\... Read more

More replies
Relevance 57.81%

Hi, this is my first time posting here.

I'm running Windows XP Pro SP2, and my computer has a virus that, at first, was giving me a tool-tip-like message from the system tray saying "Your computer is infected! ..." and something about installing a scam antivirus program. I've done a lot of searching for this issue and have seen many cases of it. Posts on other forums offered specialized programs like "Smitfraudfix.exe" and others that I was unable to get to work.

I've updated my Java (which stopped the annoying "Your computer is infected!" popup), removed my Temporary Internet Files, and run Avast! and Avira every time I restart my computer, but each time there seems to be malware that needs removed. Can someone please help me clean this virus / trojan off of my machine completely?

Thank you for your time, here is a HJT log from the time of this post:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:53 PM, on 9/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files... Read more

Answer:"Your computer is infected!" Popup message. Computer infected with Trojan

16 more replies
Relevance 57.4%

Thanks so much for any help you can provide. I've been told I passed on a virus while sending pictures from my iPod. They were stored on this computer. Also include the problem above (popup infection)DDS (Ver_09-12-01.01) - NTFSx86 NETWORK Run by Maura at 10:06:23.66 on Thu 01/28/2010Internet Explorer: 8.0.6001.18882Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.2037.1259 [GMT -6:00]SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\Explorer.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Windows\system32\NOTEPAD.EXEC:\Program Files\AVG\AVG8\avgui.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exeC:\Windows\... Read more

Answer:various odd problems/popup "infected computer"

edit

30 more replies
Relevance 57.4%

Yeah so i obviously have a virus and or multiple viruses/trojans.

So in my Sysetm Icon tray at the bottom of my screen has a little red circle with a white x in the middle and it keeps poping up with this message: "Your computer is infected! Windows has detected spyware infection. It is recomended to use special antispyware tools to pervent data loss. Windows will now download and install the most up-to-date antispyware for you. Click here to protect your computer from spyware!

That message pops up in a little window, sometimes when im browsing it will randomly take me to a completely white page telling me something about a virus scan. This hasn't happened in awhile though.

I know its a virus so i dont click on it but it continues to pop up. Ive had this virus before and i downloaded avast anitvirus which worked before but im not sure will remove it this time. I dont know how to get rid of it now.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 16:48:41.17 on Sat 09/12/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.167 [GMT -5:00]

AV: avast! antivirus 4.8.1351 [VPS 090912-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Softw... Read more

Answer:Your computer is infected! popup/ trojans

Hello and to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.*If you have since resolved the original problem you were having, we would appreciate you letting us know. *If not please perform the following steps below so we can have a look at the current condition of your machine. *If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.**If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.----------------------------*-------------------------------We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is ne... Read more

2 more replies
Relevance 57.4%

I'll get right to the point concerning my computer. I'm running Windows XP Home Edition, and I was browsing the web using Internet Explorer Monday night at 11 PM. I am an avid fan of the tv series on Fox called "24", so I was searching online to watch some of last season's episodes. Places like Hulu only had the first five episodes, so I was navigating around to find the rest of the episodes in that season (I know, dumb idea). I went to one website, (sorry I don't remember the name of it), and found that it had links to other places which I had no interest in following. I exited out of that browser page, and then my computer continued to exit out of iTunes, AIM, and another browser page I had open from Fox's website. I didn't know what was going on, and as my computer was closing out of the programs, I tried reopening AIM, to no avail. An error popped up saying that my computer was shutting down, and the program could not be opened. My computer shut down and rebooted itself. Upon reaching my desktop again, a popup in the bottom right corner came up and said the following:
Your computer is infected!
Windows has detected spyware infection.

It is recomended to use special antispyware tools to pervent data loss. Windows will now download and install the most up-to-date antispyware for you.

Click here to protect your computer from spyware!
That was the entire message in the popup. And yes, in the popup, "recomended&qu... Read more

Answer:"Your computer is infected!" message popup with big red "X"

try this.....http://www.malwarebytes.org/

one of the best spyware utilities i have found.....it has successfully cleaned a dozen or so pc's for me....

12 more replies
Relevance 57.4%

I always get some security warning when I try to click on some sites for example when I?m searching for something and get a list of websites. please held me I have no idea what to do!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 23:11:46, on 3.10.2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exeC:\WINDOWS\system32\HPConfig.exeC:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Syste... Read more

Answer:Infected Computer, Security Popup

Hi,Please uninstall SpywareBot via software > add/remove programs.Then reboot.After reboot, * Please download FixwareOut from the following site:http://download.bleepingcomputer.com/lonny/Fixwareout.exeSave it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

2 more replies
Relevance 57.4%

I apologize in advance if this topic has already been addressed but I didnt find it right away in the forum. Anyway, my friends laptop has a popup randomly displaying from the tray with the title "Your Computer is Infected!" and then a paragraph about Critical System Error etc etc. I ran Norton with current defs and found a spyware and removed it but the popup persists. I did a little search on the Internet but didnt really find anything relavent. Anyone else have/had this? What to do?

Dave
 

Answer:Solved: Your Computer is Infected! Popup

11 more replies
Relevance 57.4%

My computer has been infected. I have the popup "your computer is infected". I also cant seem to run hijack this, spybot, adware, and other virus removal tools. I also get redirected in my ie6 browser when i click on links after doing a search in google. it takes me to different places instead of where it is suppose to. I read some other threads and saw something about rsit. i did manage to download that using another computer and ran it on the affected machine. here are the logs.
i have trendmicro anti virus but i geuss it didnt stop it.

Please help..........

Thank you




info.txt............................................................

info.txt logfile of random's system information tool 1.04 2008-11-17 06:45:50

======Uninstall list======

-->"C:\Program Files\CyberDefender\cdinstx.exe" /u "C:\Program Files\CyberDefender\earlySpam\cdinstx.log" /t "CyberDefender Early Detection Center - AntiSpam"
-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 6.0 Standard-->MsiExec.exe /I{AC76BA86-1033-0000-BA7E-000000000001}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstal... Read more

Answer:your computer is infected popup and cant run hijack this

i somehow managed to run hijack this and got this


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:26 AM, on 11/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\yahoomessenger.exe
C:\Program Files\CyberDefender\AntiSpyware\cdas64.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\PGP Corporation\PGP Desktop\pgptray.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Tre... Read more

2 more replies
Relevance 57.4%

Hi, my computer has been recently infected with some sort of *.starsdoor.com malware where randomly IE pop-ups with ads. I noticed that when I go into the pop-up blocker the starsdoor.com site is inserted there to allow popups to that site. I keep removing it and it re-inserts it again and the pop-ups keep coming back. I've ran symantec, McAfee Avert Stinger, cleaned up my cookies, cleaned up my temp files, and although some of the scans found various trojan viruses and removed them, it keeps coming back. I am also noticing a performance hit to my computer. I have seen other people post to this site with a similar problem. If you could take a look at my HT log and let me know what I should do it would be very much appreciated. I am running Vista Home Premium 64bit OS, Intel Quad Core 6600 , 4 gigs of ram. Thanks Davin======================================================================Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:49:04 PM, on 06/01/2008Platform: Windows Vista (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16575)Boot mode: NormalRunning processes:C:\Program Files (x86)\ASUS WiFi-AP Solo\RtWLan.exeC:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exeC:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exeC:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exeC:\Program Files (x86)\kernel\kernel.exeC:\Program Fil... Read more

Answer:Computer Infected With Starsdoor.com Popup Ads

Hello LiteSaber and welcome to BleepingComputer!Apollogies for the delay. The forum has been very busy lately. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log.Please also post the problems you are having.Thanks,Johannes

13 more replies
Relevance 57.4%

Hi everyone, i hope someone can help. My pc got infected on Sunday, its a red X symbol in the quick launch bar - and when you hover the mouse over the symbol the pop up box reads:"Your computer is infected. Windows has detcted spyware infection. It is recommended to use special antispyware tools to pervent data loss. Windows will now download and install the most up-to-date antispyware for you. Click here to protect your computer from spyware!" i've gone through the procedures in the Preparation guide on this site but still had no luck getting rid of the virus. My F-secure antivirus programme has highlighted svchost.exe, Win32 perflogger and Trojan Dowloader Win32/agent as possible risks but is unable to delete/disinfect any of these. I've attached the Hijack log, any help would be greatly appreciated. On a side note, for some reason my keyboard won't operate in the boot screen before entering safe mode, so i can't get into safe mode to make any changes. Its a Logitech keyboard - its power lights don't seem to come on until the Windows XP symbol is already on the screen. Thanks in advanceLogfile of Trend Micro HijackThis v2.0.2Scan saved at 19:58:56, on 14/10/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\SYSTEM32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.ex... Read more

Answer:Your computer infected Popup Red X - Trojan?

Hi,Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts. I see you are running Teatimer.I suggest you to disable it because it can interfere with the changes you'll make on your system.When everything is done and your log is clean again, you can enable it again.If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.How to disable TeaTimer <== click me for instructions.After you disabled Teatimer, download ResetTeaTimer.bat to your desk... Read more

14 more replies
Relevance 57.4%

HI.
My boss has got the above mentioned malware on his PC. I have run the SmitFraudFix to correct it with no joy.

Below is the HJT log before, the rapport and the HJT report after.

Thanks for your time

Kevin
Logfile of HijackThis v1.99.1
Scan saved at 10:59:15, on 07/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Cisco Systems\cvpnd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\TEMP\AQC00.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\P... Read more

Answer:Solved: Your Computer is Infected! Popup

15 more replies
Relevance 56.99%

My brother has this virus on his computer, "YOUR COMPUTER HAS BEEN INFECTED WITH SPYWARE", which has taken over desktop wallpaper and automatically runs the fake antivirus 2009 program. I was able to fix this before on another computer through safe mode, but this time I'm unable to get into safe mode and in a regular boot it won't allow me to access any programs, start command, regedit, etc.

Will I have to start over from scratch and reinstall the XP or is there any possible way of getting into safe mode in order to install malwarebyes or a similar program to remove the spyware/virus? The last time I fixed it I was able to get into safe mode, run malwarebyes which allowed me to access the desktop in normal boot mode. From there I went into the Gateway system restore and brought it back to its original form. I've searched online reading many threads and without safe mode, I can't do much. Any information or help is appreciated.
 

Answer:Your computer has been infected with spyware popup virus- need help!

Thanks to BBEARREN I was able to get back to the desktop and not have that horrible desktop wallpaper and fake antivirus 2009 running. As he suggested I made an Ultimate Boot CD and ran every AV tool and spyware/malware that was on the CD. After running all the tools I installed my XP SP2 CD and repaired the installation. I have just gotten back to the desktop where I was able to run a log of hijack this. Hopefully everyone out there can take a look for me and let me know if I still have the virus lurking on the computer. Thanks again BBEARREN.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:10 PM, on 7/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AOL\Active Security Monitor... Read more

3 more replies
Relevance 56.99%

Hi guys,

Can you help me out? I have spyware.

A bubble keeps popping up from the system tray from a white cross in a red circle. It says "Windows has detected spyware infection. It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up to date antispyware program for you. Click here to protect your computer from spyware"

It is so annoying. Can someone help me to remove it?

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:52 AM, on 4/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
D:\WINDOWS.XP\System32\smss.exe
D:\WINDOWS.XP\system32\winlogon.exe
D:\WINDOWS.XP\system32\services.exe
D:\WINDOWS.XP\system32\lsass.exe
D:\WINDOWS.XP\system32\svchost.exe
D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
D:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
D:\WINDOWS.XP\System32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS.XP\system32\ZoneLabs\vsmon.exe
D:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
D:\WINDOWS.XP\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS.XP\system32\LxrJD31s.exe
D:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
D:\WINDOWS.XP\system32\PnkBstrA... Read more

Answer:Your computer is infected popup from system tray

Bump!

Hi,

Would someone be able to help me? I haven't had a reply yet. I did another HJT scan but it did not turn up braviax.exe. The file (braviax.exe) still exists in the system32 folder in the WINDOWS folder though.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:24 PM, on 14/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
D:\WINDOWS.XP\System32\smss.exe
D:\WINDOWS.XP\system32\winlogon.exe
D:\WINDOWS.XP\system32\services.exe
D:\WINDOWS.XP\system32\lsass.exe
D:\WINDOWS.XP\system32\svchost.exe
D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
D:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
D:\WINDOWS.XP\System32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS.XP\system32\ZoneLabs\vsmon.exe
D:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
D:\WINDOWS.XP\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS.XP\system32\LxrJD31s.exe
D:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
D:\WINDOWS.XP\system32\PnkBstrA.exe
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\WINDOWS.XP\system32\svchost.exe
D:\WINDOWS.XP\System32\svchost.exe
D:\WINDOWS.XP\Explorer.EXE
D:\Program Files\Realtek\InstallShield\AzMi... Read more

2 more replies
Relevance 56.99%

I couldn't post this in the Malware section. I kept getting an "invalid link" error so I figured I'd give it a try here. ( I think today is the day of errors for me!)

Here's my problem. I keep getting this pop up ""System error! Your computer was infected by unknown trojan. It's dangerous for your system (critical files can be lost)! Click OK to download the anti-spyware program to clean your system! (Recommended)"

I also just removed java/shinwow.BG and 3 instances of java/byteverify!exploit by using ccleaner.

I've turned off system restore and deleted all save points and turned it back on.

I've installed HijackThis and my current log is listed below.

Thank you for anyhelp you might have. You could email me directly at ......... removed .....
 

Answer:System Error! Your computer was infected... popup

Please go follow the instructions here:

http://forums.majorgeeks.com/showthread.php?t=35407
 

3 more replies
Relevance 56.99%

it always automaticly download a spyfalcon SW and the poput still therei dont know what to do...my search and destroy didnt fint anythingi removed a vcodec /i think:)/, but the pop up is still thereplease help me someone... Logfile of HijackThis v1.99.1Scan saved at 8:45:35, on 5.3.2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\Eset\nod32krn.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\D-Tools\daemon.exeC:\Program Files\Opera\Opera.exeC:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXEC:\Program Files\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsof... Read more

Answer:System Tray -your Computer Is Infected!- Popup

Hello,Do you also have Kazaa installed? Because I see the Bestoffers (or at least leftovers) present.Kazaa installs malware with it, so in case you have it installed, uninstall it via start > controlpanel > software > add/remove programs Normally this also uninstalls The BestOffers automatically. In case it doesn't, look in your add/remove programs if The Best Offers is still present and uninstall it as well.Concerning the SpyFalcon popup, let's see first if you are dealing with the old or the new version, so perform next:I need to get an export of the files being started via the SharedTaskScheduler registry key.Please download the following file and save it to your desktop:getsts.exeOnce it has downloaded, please double-click on the file, which should now be on your desktop. When the program is finished, it will create a text file on your desktop called getsts.txt and open it in notepad.Please post the contents of this notepad as a reply to this topic.By the way, I see you are running Teatimer.I suggest you to disable it because it can interfere with the changes you'll make on your system.When everything is done and your log is clean again, you can enable it again.If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.How to disable TeaTimer during HijackThis CleanupThen, Download ResetTeaTimer.bat.Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

6 more replies
Relevance 56.99%

I started getting the "Your computer is infected!" balloon in the lower right hand corner. Then the spysherrif thing telling me to scan it and clear the infected files. I've run everything and deleted as many things as possible. The Torpig (i think that's what it was called) is the one thing that the spybot can't delete. I don't know what to do now - here is my hijack this log. Any help appreciated. Thank you in advance. Logfile of HijackThis v1.99.1Scan saved at 3:24:45 PM, on 5/18/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\explorer.exeC:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeC:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\System32\CTSvcCDA.EXEC:\WINDOWS\system32\LxrJD31s.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\MsPMSPSv.exeC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\wscntfy.exec:\awu... Read more

Answer:Your Computer Is Infected! Popup - Uninstalled Spysherrif

Please download SmitfraudFix (by S!Ri)Extract the content (a folder named SmitfraudFix) to your Desktop.Open the SmitfraudFix folder and double-click smitfraudfix.cmdSelect option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).Please copy/paste the content of that report into your next reply.Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.http://www.beyondlogic.org/consulting/proc...processutil.htm

1 more replies
Relevance 56.17%

Visiting my girlfriend and noticed she had a lot of annoying popup ads on Youtube and that her homepage was set to some sort of Blekko search website and she has an addon toolbar for Mozilla for it. I ran Malwarebytes and here is the following log...

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.20.01

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
lauren :: LAUREN-PC [administrator]

5/19/2012 11:19:56 PM
mbam-log-2012-05-19 (23-19-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 224954
Time elapsed: 15 minute(s), 3 second(s)

Memory Processes Detected: 2
C:\Program Files\TelevisionFanatic\bar\1.bin\64brmon.exe (PUP.MyWebSearch) -> 2152 -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (PUP.MyWebSearch) -> 1112 -> Delete on reboot.

Memory Modules Detected: 2
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL (PUP.MyWebSearch) -> Delete on reboot.
C:\Program Files\TelevisionFanatic\bar\1.bin\64brstub.dll (PUP.MyWebSearch) -> Delete on reboot.

Registry Keys Detected: 253
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SYSTEM\... Read more

Answer:Infected Computer. Popup ads and Blekko toolbar search

Restart the PC and run malwarebytes once again,make sure it comes out cleanRegarding bleko search bar follow this guidehttp://help.blekko.com/index.php/how-do-i-uninstall-search-bar/DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Please download GMER from here(doesnot work on 64 bit OS)http://www2.gmer.net/download.phpTemporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.Now click the Scan button. If you see a rootkit warning window, click OK.When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.Click the Copy button and paste the results into your next reply. DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results here

4 more replies
Relevance 56.17%

My desktop computer is slow and contains popups to random advertisements. I also get redirection to a notice web page that computer is infected and scan automatically begins. Below is the DDS file and I have attached the files as instructed.


DDS (Ver_10-03-17.01) - NTFSx86
Run by MLA Staff at 22:16:16.17 on Fri 10/01/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.144 [GMT -7:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\VirusScan Ente... Read more

Answer:Redirection / Popup saying computer is infected and begins scan

"Bump Please"

13 more replies
Relevance 56.17%

Hello,

I believe that my computer is infected. Initially, I had the popup of Antivirus 2010 telling me that my computer was infected and asking if I wanted to purchase their product. I loaded Microsoft security essentials and scanned and it found a few things. That popup is gone but the computer still has major problems. Any executable that I try to run results in the popup saying that the .exe file is infected and would I like to activate my antivirus software. BTW Microsoft Security Essentials keeps stopping and asks me to manually restart the service. I also get a popup which says "Just in Time" debugger and that a new instance of a script is running and would i like to debug it. Also, any access to the internet results in a page not found error

I have pasted the data from the DDS tool here and I have attached the files attach.txt and ark.txt

Thank you in advance for your help.

Steve
***************************************

DDS (Ver_09-12-01.01) - NTFSx86
Run by John at 19:33:34.95 on Sun 01/03/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.415 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Microsoft Security Essentials *On-access scanning disabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2ev... Read more

Answer:Computer Slow - Popup windows saying .exe files are infected

Hello again, just an update to provide some more details. The Antivirus 2010 popup is back and popping up every minute or two. I am unable to get to the internet through any browser. I can't print to my printers (network) but I can ping my router through a DOS prompt and get a reply from the router. Any help would be appreciated. I am not sure if I should try to remove the Antivirus 2010 as directed in the other forums or don't do anything and wait for a reply here. Thanks again.===========Hello While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that ... Read more

3 more replies
Relevance 56.17%

Logfile of HijackThis v1.99.1
Scan saved at 6:45:46 PM, on 3/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
E:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
E:\WINDOWS\System32\snmp.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\AOL\1103770708\ee\AOLSoftware.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\America Online 9.0c\waol.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\America Online 9.0c\shellmon.exe
E:\WINDOWS\system32\nvctrl.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\Jon\Desktop\hijackthis\HijackThis.exe

O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - E:\WINDOWS\system32\hp205E.tmp
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HostManager] E:\Program Files\Common Files\AOL\1103770708\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HDAudio] E:\WINDOWS\hda.exe
O4 - HKCU\..\R... Read more

Answer:ms-dos popups and security alert,computer is infected popup

Please download these additional files/programs. Do not run them unless instructed to do so.

smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

*Note* Alternate download sites for smitrem... http://www.downloads.subratam.org/smitRem.exe
http://www.bleepingcomputer.com/file...ar/smitRem.exe

DelDomains.inf
Right-click and select Save Target As - save it to your desktop.

To use: Right-click and select....... Install (no need to restart)
**Note** This will remove all entries in the "Trusted Zone"

CleanUp!.exe - Install

Ad-aware - install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.htm#adaware for better scan results. One updated, and custom settings in place, Close Adaware.

Ewido Security SuiteInstall Ewido Security Suite
When installing, under "Additional Options" uncheck..Install background guard
Install scan via context menu

Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido

'UNPLUG'/D... Read more

7 more replies
Relevance 56.17%

I just got an infected computer with some malware virus and I need help! I have read to use HiJackThis but don't know what to do. I downloaded the file and ran it. I pasted the logfile below. Can anyone please help me?

Jason
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:16 AM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Video ActiveX Access\iesmn.exe
C:\Program Files\Video ActiveX Access\imsmain.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Video ActiveX Access\iesmin.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Video ActiveX Access\imsmn.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jr... Read more

Answer:Malware infected computer...Antivirus popup adds in IE

9 more replies
Relevance 56.17%

After being on the web for a short time I get a variation of the following pop up and it also directs me to a webpage. 
 
"blablabla.com (this changes) says:
 
Your computer is infected with an adware of malware causing you to see this page.
This may happen due to obsolete virus protection. To fix please cal system support at 9844) 472-7833 immediately. Please ensure yo do not restart your computer to prevent data loss.
Possibility of Data and Identity theft, if not fixed immediately."
 
In order to get the pop ups to go away I have to end all tasks related to my internet session. 
 
 
FRST.txt:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-11-2016
Ran by Im The Taxman (administrator) on HALLFAMILYPC (26-11-2016 10:14:57)
Running from C:\Users\Im The Taxman\Downloads
Loaded Profiles: Im The Taxman (Available Profiles: UpdatusUser & Im The Taxman & DefaultAppPool)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x8... Read more

Answer:Keep getting popup and opens new window states computer infected!

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.=== To fix please cal system support at 9844) 472-7833 immediately. Please ensure yo do not restart your computer to prevent data loss.This is a scam. Do not call that telephone number.===Lets start the cleaning with this.Press the windows key + r on your keyboard at the same time. This will open the RUN BOX.Type Notepad and and click the OK key.Please copy the entire contents of the code box below to the a new file. start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

() C:\ProgramData\ddc24aa9-6c5d-44d0-8c40-9bed83bb2ab7\maintainer.exe
(Coupons.com Inc.) C:\Program Files (x86)\Coupons\CouponPrinterService.exe
HKLM-x32\...\Run: [mobilegeni daemon] => C:\Program Files (x86)\Mobogenie\DaemonProcess.exe
HKU\S-1-5-21-2825098560-1414404751-4058877529-1001\...\Run: [NextLive] => C:\Windows\SysWOW64\rundll32.exe "C:\Users\Im The Taxman\AppData\Roaming\newnext.me\nengine.dll",EntryPoint -m l
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
AutoConfigURL: [S-1-5-21-2825098560-1414404751-4058877529-1001] => hxxp://none-stops.net/wpad.dat?6b78aec9afef669f93cf3f2cfd7a88db20241774
ManualProxies: 0hxxp://none-stops.net/wpad.dat?6b78aec9afef669f93cf3f2cfd7a88db202... Read more

3 more replies
Relevance 56.17%

After being on the web for a short time I get a variation of the following pop up and it also directs me to a webpage. 
 
"blablabla.com (this changes) says:
 
Your computer is infected with an adware of malware causing you to see this page.
This may happen due to obsolete virus protection. To fix please cal system support at 9844) 472-7833 immediately. Please ensure yo do not restart your computer to prevent data loss.
Possibility of Data and Identity theft, if not fixed immediately."
 
In order to get the pop ups to go away I have to end all tasks related to my internet session. 
 
 
FRST.txt:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-11-2016
Ran by Im The Taxman (administrator) on HALLFAMILYPC (26-11-2016 10:14:57)
Running from C:\Users\Im The Taxman\Downloads
Loaded Profiles: Im The Taxman (Available Profiles: UpdatusUser & Im The Taxman & DefaultAppPool)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x8... Read more

Answer:Keep getting popup and opens new window states computer infected!

Duplicate this topic will be closed.

1 more replies
Relevance 56.17%

After being on the web for a short time I get a variation of the following pop up and it also directs me to a webpage. 
 
"blablabla.com (this changes) says:
 
Your computer is infected with an adware of malware causing you to see this page.
This may happen due to obsolete virus protection. To fix please cal system support at 9844) 472-7833 immediately. Please ensure yo do not restart your computer to prevent data loss.
Possibility of Data and Identity theft, if not fixed immediately."
 
In order to get the pop ups to go away I have to end all tasks related to my internet session. 
 
 
FRST.txt:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-11-2016
Ran by Im The Taxman (administrator) on HALLFAMILYPC (26-11-2016 10:14:57)
Running from C:\Users\Im The Taxman\Downloads
Loaded Profiles: Im The Taxman (Available Profiles: UpdatusUser & Im The Taxman & DefaultAppPool)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x8... Read more

More replies
Relevance 56.17%

After being on the web for a short time I get a variation of the following pop up and it also directs me to a webpage. 
 
"blablabla.com (this changes) says:
 
Your computer is infected with an adware of malware causing you to see this page.
This may happen due to obsolete virus protection. To fix please cal system support at 9844) 472-7833 immediately. Please ensure yo do not restart your computer to prevent data loss.
Possibility of Data and Identity theft, if not fixed immediately."
 
In order to get the pop ups to go away I have to end all tasks related to my internet session. 
 
 
FRST.txt:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-11-2016
Ran by Im The Taxman (administrator) on HALLFAMILYPC (26-11-2016 10:14:57)
Running from C:\Users\Im The Taxman\Downloads
Loaded Profiles: Im The Taxman (Available Profiles: UpdatusUser & Im The Taxman & DefaultAppPool)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x8... Read more

More replies
Relevance 55.76%

I have followed the 5 steps to take prior to posting a thread:

After startup, when I get to the desktop I receive the following message in the tray:
"Your Computer is infected! Windows has detected spyware infection. It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you. Click here to protect your computer from sysware".

Within 10 seconds the PC automatically restarts and the above will repeat without end. I don't even have enough time to open the task manager prior to the restart, the screen just goes black immediatley and it starts up from a complete shutdown.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:37 PM, on 10/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://... Read more

Answer:"Your Computer is infected" Continuous shutdown

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Use Safe Mode for running ComboFix if necessary.

------------------------------------------------------

Download Combofix from any of the links below. You must r... Read more

5 more replies
Relevance 55.76%

Hi, I keep getting this pop-up window message whenever I click on any link in my Internet Explorer:System ErrorYour computer was infected by an unknown trojan. It's dangerous for your system (Critical Files can be lost!). Click OK to download the antispyware problem to clean your system (Recommended).It has also highjacked the yahoo and google search results so I have to now copy and paste them to the browser.Please let me know what should I do to clean this...Please help!!! Please let me know if you want me to post it in some other forum. Thanks!I am attaching HIjackthis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:32:00 AM, on 2/7/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwlt... Read more

Answer:Ie Popup System Error: Your Computer Was Infected By Unknown Trojan..

Is this the problem line?? I have no clue but just browsing through web i gathered this, i may be wrong...thanks!

O2 - BHO: Sysem Player - {2AE4C401-AAC4-4F41-9665-1EC88C3BDD7D} - C:\WINDOWS\sysvol32.dll

2 more replies
Relevance 55.76%

Hi, how are you?

Everytime I open anything from folder to 'my computer' I get this error.

"Your computer was infected by unknown trojan.
It's dangerous for your system (critical files can be lost)!
Click OK to download the antispyware program to clean your system! (Recommended)"

I ran ad-aware, and mcafee. Still Nothing.

I ran hijack and this is what I get. Any help would be really appreciate it! Thank you so much!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:08 PM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:... Read more

Answer:System Error: Your computer is infected with unknown trojan popup

9 more replies
Relevance 55.76%

I have run HijackThis and am going to run CobraFix (as recommended on several similar posts). For ease in reading, the HijackThis Post is here and I'll post again with the cobrafix output. Thank you in advance. This is so annoying!!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by

Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program

Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program

Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Media Player - {8161DF25-78BD-412D-8B45-87EFD0839BC6} - C:\WINDOWS\wmpdxm.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program

Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Optical Wheel mous... Read more

Answer:Trojan Virus; Popup with 'Your computer was infected ...'; Diagnostics included

Combofix ran as expected except that it the desktop did not return. I had to reboot to get it to come back. I am still getting the same 'infected' popups.

ComboFix 08-03-14.4 - Mark T 2008-03-16 18:35:16.1 - NTFSx86
Running from: C:\Documents and Settings\Mark T\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\151.exe
C:\Program Files\winupdates

.
((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

2008-03-16 10:15 . 2008-03-16 10:15 28,672 --a------ C:\log_hijackthis_0315.doc
2008-03-15 17:38 . 2008-03-15 17:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-15 10:21 . 2008-03-16 18:27 8,769 --a------ C:\WINDOWS\system32\Config.MPF
2008-03-15 10:20 . 2008-03-15 10:20 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-03-15 10:20 . 2008-03-15 13:07 <DIR> d-------- C:\Documents and Settings\Mark T\Application Data\SiteAdvisor
2008-03-15 10:20 . 2008-03-15 10:20 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\SiteAdvisor
2008-03-15 10:20 . 2008-03-15 10:20 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SiteAdvisor
2008-03-15 10:17 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-15 10:17 . 2... Read more

1 more replies
Relevance 55.76%

Could not find directions and download links to AdwCleaner or aswMBR on the page that is supposed to have them. However, there were directions and download links for FRST logs and they are included here.
 

Answer:PowerShell: continuous NOT WORKING error popup windows AND a frustrated user

Helllo,

Before we begin, please note the following:

I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

Download Malwarebytes Anti-Rootkit to your desktop.

Double-click the icon to start the tool.
It will ask you where to extract it, then it will start.
Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
Click in the introduction screen "next" to continue.
Click in the following screen "Update" to obtain the latest malware definitions.
Once the update is complete select "Next" and click "Scan".
When the scan is finished and no malware has been found select "Exit".
If malware was detected, make sure to check all th... Read more

4 more replies
Relevance 54.94%

I am getting a popup balloon whenI boot up saying "Your computer is infected! Windows has detected spyware infection". It shuts down my computer every 3 or 4 minutes. I tried running HijackThis but it will not run. I tried the current versionand an older version ((1.9.82) And neitehr work. It simply does nothing when I try to un it.

Please help guys. It is my computer at work.
EDIT

I forgot to mention I also tried launching Combofix and I get the samer result, it just wont run.

Answer:Please Help. "Your computer is infected! Windows has detected spyware infection" Popup and Cant Run HijackThis

Welcom to the forum I forgot to mention I also tried launching Combofix and I get the samer result, it just wont run.please note ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer.maybe try this scan instead and progress from there Please download Malwarebytes Anti-Malware and save it to your Desktop.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.

If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be pati... Read more

1 more replies
Relevance 54.94%

I have scanned with ad-aware, norton anti-virus (which says it is unable to fix virus), spy-bot search & destroy, as well as msn anti-spyware beta. I continue to get a virus notification from Norton when I turn on my computer. I have had this problem about 7-10 days. The first time I got one of the winfixer pop-ups I had just opened an email from someone I have had emails from before. Thank you for your assistance.Logfile of HijackThis v1.99.1Scan saved at 3:30:57 PM, on 11/19/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\System32\CTsvcCDA.exeC:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXEC:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEC:\WINDOWS\System32\nvsvc32.exeC:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exeC:\WI... Read more

Answer:Winfixer Popup & Sexbuddies Popup/infected W/trojan.vundo Per Norton

I forgot to add this above in my first post - Norton says that the virus is in c:windows\system32\ddaya.dll.

6 more replies
Relevance 54.53%

Hi,

There are essentially three symptoms that I am seeing. There is a fake Security Center Warning that pops up periodically asking me to enable autoprotect. It says that the computer has been infected with a "Spyware.ISPYNow", a high risk virus. The popup also contains a link that I haven't clicked.

When I bring up either (IE or Firefox) of the browsers that I use, it gets automatically redirected to a page with a warning about "Insecure Browsing" and has links to download and install protective software.

I believe the infection came from a site that I was browsing via Firefox. I recognized it within minutes of setting in and started acting to fix it. Since then, I have ran a variety of programs. They are:

Norton Antivirus with the latest updates
SDFix
HijackThis
Ad-aware
ATF Cleaner
SuperAntiSpyware and finally
ComboFix

Norton reported Backdoor.TiServ, but couldn't remove or quarantine it. Between SDFix and HijackThis, a lot of the TSSServ virus files and registry entries got removed. I also manually cleaned up some files including some TSSServ tmp files in my Local Settings folder. Ad-Aware then reported and removed ctl_w32.sys from the temporary internet files folder. It also removed a number of "suspicious" cookies, temp files and registry entries. However, it was not able to remove a hidden registry entry under HKLM/System\ControlSet0001\Control that looked like it was related to ctl_w32.sys. ATF Cleaner and SuperAntiSpywar... Read more

Answer:Computer Infected, IE / Firefox getting Redirected and a Fake Security Center Warning Popup

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.Please download random's system information tool (RSIT) and save it to your desktop.Double click on RSIT.exe to run it.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

9 more replies
Relevance 54.53%

My computer has been acting pretty weird lately. It's been going a lot slower and the hourglass is constantly popping up even when the only thing I'm doing is reading a web page. Initially I scanned with my Avast virus protection and it didn't detect anything: it did say that some files couldn't be scanned. I did accidentally let my virus protection lapse but for no more than half a day and I wasn't on the web at that time because I was at work. Then the other day, I received a popup from Comcast (my provider) that said one or more computers on my network might be infected by a bot. Right before that message popped up, a black box appeared very quickly, two separate times (it looked like the box that appeared whenever I was testing my router awhile back). So I did a boot-time scan with Avast, and this time it did find a virus with a high severity rating. I also scanned with ESET online scanner and it detected a trojan horse. I think I might have two separate infections going on because whatever the Avast found was under my profile and the trojan horse that ESET found was under a different user. I would appreciate some help in getting rid of whatever is going on here.

Answer:A popup from Comcast that says my computer is more than likely infected by a bot; Virus protection detects trojan horse

Oh yeah, I guess I should include my log huh.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:20:54 AM, on 12/21/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Adobe\Elements 9 Organizer\ElementsOrganizerSyncAgent.exe
C:\Users\Mexicans\AppData\Local\Google\Update\1.3.21.79\GoogleCrashHandler.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files (x86)\Bamboo Dock\BambooCore.exe
C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.... Read more

56 more replies
Relevance 54.53%

The "Driver Cure" popup comes up everytime I turn on or restart my computer. Also, I constantly have advertisement popups. Recently there has been one that says I have won a walmart giftcard. Also, sometimes when I click on something in a website, I am redirected to another unwanted website. Please help!

- Unislynntastic

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Eunice Lin at 23:44:22 on 2012-02-22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.121 [GMT -5:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\PC Tools\PC Tools Security\pctsAuxs.exe
C:&#... Read more

Answer:Infected with "DriverCure" popup, "quick scan" popup, and advertisements

Hello Unislynntastic , Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.1.Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and gi... Read more

3 more replies
Relevance 54.12%

Hello and thank you for your time and patience!Some messages etcInternet Explorer warning popup. Infected by [email protected] alert Popups: computer infected with spyware managing popup ads OPHE ver 4.12_23'Critical System error'Popup blocker must be disabled showing 0 Homepage has been taken over by securitysite.com. Default homepage was yahoo.co.uk. Bad imitated page setup when type address. cannot change default page back. Use: Windows XP and Internet explorer 6.0. Has been infected from adult sites. A few popups appearing adult and gamblingNo system changes.Did not previously have a firewall apart from windows one.tried installing AVE. Says not infected but wont update to latest version.the following won't work: Windows defender, Spybot is pushed down to bottom of screen. Housecall and Panda won't download. Ad Aware works wellNot able to enable topic reply notification by default, but I can access other PCs to pick up emails in the normal way.Bit Defender resultsdetected problemsprogram files\Internet explorer\iexplorer.exeinfectedW.YL:trojansame as above - disinfection failedsame as above - deletedC:system volume Information\_restore{B943B23-EE1D-4020-8AAB infected with trojan
same as above - disinfection failed
same as above - deleted

C:\windows\system 32\mousebut.exe infected with trojan
same as above - disinfection failed
same as above- deleted

C:\windows\system32\win32US.ex... Read more

Answer:Have System Alert: 'popups Computer Infected With Spyware Managing Popup Ads Ophe Ver 4.12_23

Your AVG is out of dateAVG 7 - http://free.grisoft.com/freeweb.php/doc/2/===============You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.Please download SmitfraudFix (by S!Ri)Extract the content (a folder named SmitfraudFix) to your Desktop.Next, please reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, a menu with options should appear;Select the first option, to run Windows in Safe Mode, then press "Enter".Choose your usual account.Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmdSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows... Read more

1 more replies
Relevance 52.89%

I have a Dell running XP. I reinstalled XP when my father gave me the computer infected. Well I have done the same. My computer runs very slow. The windows I open do slow motion when I close them. I have recently got A LOT more knowledgeable in protecting my PC after infecting the lap top I am typing this on. This site helped me a ton. But any how I am wanting to get my desk top to working order and secure. I have recently insatlled : HijackThis, SilentRunners, Dr.Web, And SuperAntiSpyware in prep for removing my nastys. I also have a sub to Stopzilla anti spyware. It scanned and said 1143 threats wich is more like 56 with subs. But I have noticed after scanning and removing that if I un-plug my net all seems to be well for the most part. I have'nt gotten any errors. My computer is just very slow and pretty much useless unless I have a ton of time to wait for opening and closing windows. I have nothing of importance on this computer at the moment because it's on my Mac laptop and my PC laptop, so I was thinking maybe it would be easier to do a XP re-install again and then I can secure it from there. That might be less of a fight ? Please throw me a line I would like to get this dealt with. Thanks
 

Answer:Infected Computer Removal Needed

16 more replies
Relevance 52.89%

I appologise, I am not very good at these kinds of things, introductions aside. After I removed a Ransom Malware via Malware Bytes I continue to get bluescreens reading that a change in the critical system code or data was detected, after multiple programs trying to find a virus or something that might have or has damaged my computer, not many results that haven't fixed the problem. My friend told me to use Command Prompt and use the sfc \scannow command and it found corrupted files but was unable to fix some and not even that fixed the problem, so now I am here asking for help after my friend told me to come here and do so. I have some things that might give some hints to anyone who knows, if solutions don't work, at least who ever wanted to help, tried.
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7600.2.0.0.256.1
Locale ID: 1033

Additional information about the problem:
BCCode: 109
BCP1: A3A039D8974FA523
BCP2: B3B7465EE9CDE311
BCP3: FFFFF80000B96BB0
BCP4: 0000000000000006
OS Version: 6_1_7600
Service Pack: 0_0
Product: 256_1

Files that help describe the problem:
C:\Windows\Minidump\050513-34491-01.dmp
C:\Users\****\AppData\Local\Temp\WER-45723-0.sysdata.xml

Read our privacy statement online:
Windows 7 Privacy Statement - Microsoft Windows

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

Answer:Continuous Bluescreens after removal of Ransom Malware

Hi Kingofsmash101 welcome to SevenForums


   Warning

You will need a USB FLASH DRIVE



   Tip
Download the Tool from a non infected PC
Download Farbar Recovery Scan Tool

Here Farbar Recovery Scan Tool Download

Click on the Download Now button that goes with your bit version



   Note
Click the Windows icon (), and then right-click Computer .Select Properties .Look for System Type: which will say 32-bit Operating System or 64-bit Operating System
Plug the flash drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an... Read more

4 more replies
Relevance 52.89%

I need help getting rid of the source of these spyware and constant pop up ads from IE. I have already done 4 scans with Spybot and found a few spyware that have the same name. Please look at my hijackthis log and see if there is anything wrong.

I run a vista home premium just in case you need this information.

Logfile of HijackThis v1.99.1
Scan saved at 11:42:27 AM, on 4/12/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Windows\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\S... Read more

Answer:Continuous Spyware after constant scans and removal

Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.

Please visit this webpage for download links, and instructions for running ComboFix


When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new HijackThis log so that we can continue to do any further cleaning that your system may require.

Caution: Never run and remove files with Combofix unless supervised by a security analyst.

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

3 more replies
Relevance 52.48%

Hello!
In reading more of these threads I can see Im not the only one with the iexplore issue.
Glad to know it can be corrected!!!!

I have multiple pop-ups and my computer is as slow as dirt.
When I get home at 3:30 Calif time I will do the HJTInstall.exe thing and post the results.
Would the results of one that was done two days ago help? Yes I was having the issue then and another company did one and told me to email it to someone, which I did but I havent heard anything back and my computer is close to useless at this point.
Can MFDnNC or anyone else help?
Thanks!!!!
Ginny
 

Answer:malware removal/popup/iexplore removal

16 more replies
Relevance 52.48%

My computer has been infected with a virus and porn ads are popping up every few seconds.
I've been to a few different websites that give step by step instructions for removing this malware but as soon as I download a removal program it is blocked from running.

This includes SAS, MG Tools, etc.

Being unable to run these programs I am completely unsure what to do.
Any suggestions will be greatly appreciated

Answer:My Computer is infected and I am unable to run removal programs

Hello and welcome .. Please give this a go.Please download Rkill by Grinler and save it to your desktop.Link 2Link 3Link 4Double-click on the Rkill desktop icon to run the tool.If using Vista, right-click on it and Run As Administrator.A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.If not, delete the file, then download and use the one provided in Link 2.If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.If the tool does not run from any of the links provided, please let me know.Next run MBAM (MalwareBytes):NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the... Read more

1 more replies
Relevance 52.48%

This computer has/had a nasty virus. I have already ran Spybot S&D and removed alot of crap. I also did a scan with MSE and it found several virus' and removed them, but links on sites (google searches mainly) are still getting hijacked. Any help is extremely appreciated as this is a free site.

*****DDS Log*****

DDS (Ver_10-03-17.01) - NTFSx86
Run by Mike at 10:08:04.67 on Fri 09/24/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3326.2251 [GMT -7:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\dlcxcoms.exe
C:\Program Files\Input Director\IDWinService.exe
C:\Program Files\Input Director\InputDirectorSessionHelper.exe
C:\Program F... Read more

Answer:Infected Computer/Tried the usual removal techniques

Hi

Please do the following:

Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.When finished, it will produce a report for you.
Please post the C:\ComboFix.txt for further review.

4 more replies
Relevance 52.07%

Hello all, thanks for the wonderful forum and the help! One quick thing to get out of the way - when I ran DDS, it created the DDS.txt but I did not get an Attach.txt log. I will post what I have. My Mother In Law's computer is hosed. Pretty badly. You can open up IE, and it just sits, there, never even really opens. I was able to put Firefox on here, which I'm using right now, and it's usable. But anytime you do a Google search, when you try to click on any of the results, you're redirected to any number of obviously virus loaded sites. I'm sure there are other problems that I haven't encountered yet. I'm just now starting to dig into this machine. I'd like to have it back to her in the next few days. Thanks for your help!DDS (Ver_09-12-01.01) - NTFSx86 Run by Andrew at 17:27:46.70 on Sun 03/14/2010Internet Explorer: 7.0.6002.18005Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.2940.1691 [GMT -5:00]SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\SLsvc.exeC:\Win... Read more

Answer:Malware removal novice seeking help. MIL's computer infected.

Hello MrCarner Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.Is everything still the way you described it in your initial post? Have you been able to stop Symantec yet? Let me know of any other things which might be pertinent since you first started the thread.Thanks,thewall

4 more replies
Relevance 52.07%

This is my very first post ever in a tech forum, so please bear w/ me as I am somewhat of a newb.
I ran MBAM and found a couple of infected files, which I knew were bad news and deleted. Shortly after my computer started acting crazy...
Pages are taking forever to load then can't be displayed, I run connectivity and get a multitude of responses which fix the issue for about 2 seconds, or sometimes tells me I have no connectivity problems.
If I have multiple tabs open, all but 1 randomly close.
And a few other random problems.

I tried a system restore from multiple points, but am told every time that it can't restore to the points I chose.

I am assuming I deleted something I shouldn't have, but now don't know what to do. I am here because I have always gotten help here. It is getting worse and I am going insane. I am almost to the point where no page will ever load.

Any help would be appreciated. Thanks!!!


Malwarebytes' Anti-Malware 1.35
Database version: 1930
Windows 5.1.2600 Service Pack 3

4/1/2009 7:44:39 PM
mbam-log-2009-04-01 (19-44-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 210926
Time elapsed: 1 hour(s), 12 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detec... Read more

Answer:Computer acting funny after infected file removal

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

1 more replies
Relevance 52.07%

Hi there.The last few days has been a living hell for me and my computer, especially because my computer is brand new bought it 3 months ago, It's really frustrating because with the computer I bought it came with it a 1 year Kaspersky Anti-virus commercial package, It was ALWAYS kept on maximum setting, and my firewall was always on + automatic updates. I have no idea how did I get infected with soo many nasty Malwares\viruses. I have tried about everything to remove them, Kaspersky detected Cyberlog-x one day and I immediately deleted it and since then, I've been getting infected with another malwares and Trojans, so I downloaded Spybot - S&D, Didn't find anything. Downloaded Ad-aware 2008 and it detected 8 Malwares\Trojans, I keep trying to quarantine them\delete them but whenever I do another scan, they keep coming back up, Yes, I tried doing it in safe mode, I got the same results again.So far Kaspersky (& Ad-aware) detected these Malwares:-Win32.Trojan.DelfCyberlog-xTrojan-GameThief.win32.OnLinegames.sfpf <<< This sounds Terrifying for me, because I'm a gamer and I don't want my game's account to be stolen or keylogged. So I beg you please help. Hijackthis log: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:13:06 AM, on 7/16/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32�... Read more

Answer:My Computer Is Dying, It's Infected And I Can't Remove Them (keeps Coming Up After Removal)

Hello and welcome to BCWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.Thanks and again sorry for the delay. Please download Deckard's System Scanner (DSS) and save to your Desktop.alternate download siteDSS will do the following:Create a new System Restore point in Windows XP and Vista.Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.Check some important areas of your system and produce a report for an analyst to review.Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.You must be logged onto an account with administrator priv... Read more

2 more replies
Relevance 52.07%

Help! Here are my log files posted as requested from another fourm. Vista will boot normally but wireless won't connect and nothing will open.
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by Barbara (administrator) on BARBARA-PC on 30-03-2015 07:37:59
Running from C:\Users\Barbara\Desktop
Loaded Profiles: Barbara (Available profiles: Barbara)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4669440 2007-07-05] (Realtek Semiconductor)
HKU\S-1-5-21-3762424694-237179980-4226746613-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\acer.scr [83554304 2007-04-19] ()
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program ... Read more

Answer:Still infected? Computer runs worse then before removal of bad stuff!

Greetings loki2007 and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.If you would allow me to call you by your first name I would prefer to do that. ===================================================Ground Rules:First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter prob... Read more

30 more replies
Relevance 51.25%

***before wasting your time reading this, I'm running Vista and don't know if it will work on XP or earlier systems***
 
Hi guys, I am by no means a tech expert. So do the following at your own risk.
 
About a month ago I contracted internet AIDS. The FBI virus is the worst virus I've ever had on my computer, and it did some serious damage. It even messed with my Xbox live account by tampering with my payment methods. Luckily, they weren't credit cards. If you have any access to credit cards from your computer I suggest removing them immediately upon contracting this virus. I can't remember how the virus started but I did notice some differences, and my Xbox Live account became unusable before my computer did. One day it randomly popped up on my computer and it became what I thought to be almost useless. I could only log in for about 30 seconds before the virus popped up. I wasn't thinking and left it plugged in (I don't know if this made a difference - as I said I'm no expert) for a couple weeks and then I couldn't even get to the desktop like I could before. When I started the computer and pressed F8 and selected 'Repair Computer' and tried logging in as the administrator, my password had been changed. When I tried starting it in safe mode, it logged in, logged off, shut down, restarted, and logged back in normally right away. Then the virus would pop up. After a while the virus just stopped popping up and my computer would white screen, giving me absolutely no co... Read more

More replies
Relevance 51.25%

Bleeping Computer used to have a tutorial named "How to easliy clean an infected computer (Malware Removal Guide)"
 
Is it still available? Has it been updated to include Windows 10?
 
If it is available, could you provide a link to the article.
 
Thank you
 
BTC

Answer:How to easily clean an infected computer(Malware Removal Guide)

Are you referring to this guide?http://www.bleepingcomputer.com/tutorials/how-to-remove-a-trojan-virus-worm-or-malware/If so, it's from 2005 and a lot changed since then. While a lot of information in it is still relevant today, I suggest you to ask for assistance here if you need help with malware removal.MalwareTips is the website having an article with the exact name you mentionned.

4 more replies
Relevance 51.25%

Hello,
 
I am working on a PC with Windows XP service pack 3. My computer here at work got infected with a Trojan virus called Generic 33. It has disabled several times my printer software and scanning software. I have had to reinstall the software twice so far and I may have to do it again.
 
I need to get this computer cleaned up so that I can go about my daily tasks at work here. I am the Graphic Designer and I cannot afford to have this computer go down on me. My work won't pay for any expensive removal software and the free AVG anti-virus software continually says it's healed/quarantined/gotten rid of the virus but it has not.
 
Can you please help me get this computer clean?
 
Thank you.
 
-----------------------
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.21.2
Run by derek at 11:14:40 on 2013-06-04
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3070.934 [GMT -5:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Google Talk\google... Read more

Answer:Infected Work computer with Trojan Virus Generic 33. Need help with removal

Hi hcline, Welcome to the forum. I will assist you with the issue. Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. 

10 more replies
Relevance 50.84%

My computer running Windows Vista Home Premium Edition started to re-boot itself over and over again yesterday. I looked at start-up and found a service - I think that's what it's called - named in all lower case "risky" and it said that it runs a program called 84372872az.exe dated 9-11-2009 at 4:39 pm so I disabled it. No problems since then, by the way except that activity, especially in Internet Explorer, seems slower and I now have to often click my back bottom in IE more than once and I've never had to do that before.
I then searched and found the file existing in the roam folder under my users folder and deleted it and removed it from my recycle bin. I want to make sure it is completely gone. I have pasted text below and attached the files you asked for in the "sticky" for the malware/spyware part of the forum.

I would really appreciate any help you can give me !


This is the text which per your instructions I have pasted from dds.txt:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Charley at 10:05:50.42 on Sun 09/13/2009
Internet Explorer: 8.0.6001.18813
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.1982.985 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norto... Read more

More replies
Relevance 50.84%

Please help...
All of a sudden I'm getting this popup non stop, I ran SuperAntiSpyware, adware, and Norton, but nothing help...sigh!

Somebody, please help! Thanks so much!

this is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:11 PM, on 3/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\brows... Read more

Answer:Solved: Please Help to Remove "NOTICE: If your computer is infected..." popup

16 more replies
Relevance 50.43%

Somehow I got infected with something that is putting a red circle icon with a white X in my task tray. Every 5 seconds it pops up a window stating "Your computer is infected!", etc. etc.

I would appreciate anyone's help of how to remove this. My spyware software did not resolve the problem. I have downloaded HighJackThis and below is the output of the scan.

Logfile of HijackThis v1.99.1
Scan saved at 8:02:16 PM, on 1/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\winstall.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:... Read more

Answer:"Your computer is infected!" popup from task tray

13 more replies
Relevance 50.43%

followed all 5 steps:

Could not run hijackthis at first, but renamed it to analyzethis and it opened, as pointed out by another thread with a very similar problem as mine.

Popup from taskbar, red x and does not stop popping up with fake warnings.

===================HIJACKTHIS======================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:29 PM, on 10/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msscntr32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\user\Desktop\analyzethis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/...arch.yahoo.com
R1 - HKCU\Softw... Read more

Answer:"Your computer is infected!" taskbar popup - xpsecuirtycenter

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3






* IMPORTANT !!! Save... Read more

2 more replies
Relevance 50.43%

hello
i am requesting help for my laptop please. on 6/8/11 i was infected with the windows restore virus. at the time i was running the free edition of avg & i've always used antimalware bytes. i ran a full virus scan that day and also the malware bytes & removed a few things, but my computer was still not running right. all my start programs were gone, i ran unhide & that helped a bit but didn't fix the problem. i still don't have many items on my start menu, accessories etc. i have redownloaded a few programs so i could use them. ever since then it's been attacked daily, i had the windows restore pop up again & then also something called security shield.

i got rid of avg and downloaded avira and also superantispyware. i update all 3 and run them everynite in safemode, although i can't seem to run the superspyware in safe mode, my computer crashes and gives me a blue screen hard disc error. i can run it it regular mode and it usually finds and removes a lot of things nightly.

right now my internet is running very slow & i get popup windows that open new ie browsers. my ie will also freeze & i can't do anything and need to poweroff with the power button. i also cannot turn on my windows updates, it says it's on, but i have a warning that it's not on. i was also infected with the whitehorse toolbar or something like that, that i uninstalled & then superantispyware found a few bits of that this am and rem... Read more

Answer:infected with something - windows restore, popup windows, computer freezes

Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far. Upon completing the steps below another staff member will review your topic an do their best to resolve your issues. If you have already posted a DDS log, please do so again, as your situation may have changed. Use the 'Add Reply' and add the new log to this thread. Thanks and again sorry for the delay. We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scr DDS.pifDouble click on the DDS icon, allow it to run. A small box will open, with an explaination about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that... Read more

20 more replies
Relevance 50.43%

The message reads as following:


Code:
Your computer is infected!
Windows has detected spyware infection!

It is recomended to use special antispyware tools to prevent data loss.

Windows will now download and install the most up-to-date antispyware for you.

Click here to protect your computer from spyware!
This stupid message only started to appear after i used my school's wireless internet connection.

It would be awesome if you guys could help me fix this, since this laptop is used to make school projects and work things, that I can't afford to lose.

Answer:Weird PopUp Message. "Your computer is infected"

Do not attempt to run or install the antispyware 2009 (I believe that is the software it tells you to use) as it is a malware.

Google and download Spybot Search And Destroy.
Install Spybot search and destroy, follow the steps and it will 90% of the time remove everything related to that specific virus/spyware.

7 more replies
Relevance 47.97%

Staff Advisory: This post needs to remain here until one of the malware team advise that it can be moved. This member cannot access our malware forums due to their infection. ~ Animal----------------------------------------------------------------------------------------------------------------------Hello, I got some help from some nice people in the live chat. I have made a log with your hijackprogram and am posting it at the bottom. It created two .txt files so there are two reports. I am unable to open ANY link that has the words anti-spyware anywhere on the page or in the address bar so unfortunately I cannot post this in the malware removal forum because the internet window closes every time. I am in dire need of some help! I have a subscription to spy sweeper and it is keeping things out but I was infected with Antivirus xp 2008 and possibly some viruses because the computer was un-protected for about a month while I was in the hospital..I run with Windows XP and a wireless connection. If someone could take the time to look at this for me I would be so incredibly thankful! I offer my services as a photographer/graphic artist/professional gift shopper/myspace designer/beginner web designer. You can see what I do at www.perfectionpictures.com and contact me if you need anything at all!Current Symptoms (in the order of appearance)Random Total system crash then restart then blue screen then back to windows. msvcp71.exe is missing so a program is being prevented ... Read more

Answer:Antivirus Xp 2008 Removal Help/am I Infected? Can't Open Malware Removal Forum

Hi & welcome,I would like to try a couple things before we go much further so I have a bit better picture of what is happening and can take the needed cautions.1.) click start> run> type msconfig and hit enter.click "boot.ini" tabCheckmark /bootlogClick "apply" and "close"Reboot when askedLocate and delete this file:C:\windows\ntbtlog.txt (in case your extensions don't show it looks like a notepad)RebootLocate & post:C:\windows\ntbtlog.txt2.) Click start> run> type: cmd.exe and hit enter.type the following commands exactly as you see em & hit enter after each one:cd c:\windows\system32dir userinit.exeNote the file size please & report that back to me. Leave cmd open a sec.Back at the cmd window...Type:cd dllcachedir userinit.exedir spoolsv.exeNote file sizes & report that back to me.Type exit in the CMD window & hit enter. (this closes it)3.) Can you see also if you can get this program installed please:http://download.bleepingcomputer.com/hijac.../HJTInstall.exeSave file> run it> follow prompts to install excepting defaults.Allow it to "launch" hijackthis.Click the "Do a System Scan and Save a Log File" optionSave the log file and then it should open with NotepadGo to Edit, Select All and then Edit, Paste to paste the contents of the log hereLet me know if you had any problems with the above please.I advise keeping the system offline as much as possib... Read more

3 more replies
Relevance 47.97%
Question: Popup - Removal

My XP (Home) seems to be affected by an annoying popup programme. When I'm on-line (broadband) every now and again I'm being told about men's medicines and so on. I have the usual anti-spyware installed and the XP firewall on. I've been through the Registry manually and haven't dicovered anything obviously amiss (although I'm only a novice and might have missed the offending line). I've tried a couple of free downloads to attempt to cleanse the system but they haven't worked. Anything else I could do please? Many thanks.

Answer:Popup - Removal

Messenger Service pop-ups? click here

2 more replies
Relevance 47.97%
Question: Cid Popup Removal.

I am having a lot of trouble trying to remove this program from my computer.I have ran nolop which came up with no infection and have also tried to remove the files listed in another thread relating to this from add/remove software. I have also ran through the steps in the preperation guide.Any help with this matter would be greatly appreciated.CheersPeteLogfile of Trend Micro HijackThis v2.0.2Scan saved at 11:52:30 AM, on 11/2/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\ntl\ntl Netguard\fws.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\system32\RunDll32.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Program Files\BroadJump\Client Foundation\CFD.exeC:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exeC:\Program Files\ntl\ntl Netguard\RPS.exeC:\WINDOWS\RTHDCPL.EXEC:�... Read more

Answer:Cid Popup Removal.

Hi, Wellcome to Bleeping Computer Forums!Please take note of the following:I will be handling your log and helping you, please do not make any system changes yet. The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.The fixes are specific to your problem and should only be used for this issue on this machineIf there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.Please reply to this thread. Do not start a new topic.Please give me some time to look over your log and I will get back to you as soon as possible.

6 more replies
Relevance 47.97%
Question: Popup removal..

I have a friend who has a problem with 'porn' pop ups. She has children who use the PC so wants rid of them !!
I have ran Spybot, AVG free full scan, Bit defender total security 2009 full scan, Malwarebytes full scan. All of these found some problems and dealt with them. But there is still one site persisting in appearing randomly - sometimes after several days not appearing. I also ran COMBOFIX which ran through without problem.
Regretably I am not in a position to post hijack this logs at this time.
Can anyone suggest what I could try if not able to post hijack this log.
Thanks AL..
 

More replies
Relevance 47.97%
Question: Cid Popup Removal

Not sure if this will help everyone but I have fixed the CID popup problem on my computer rather easily and by mistake. I was watching my processes on task manager trying to figure this one out and as the CID popup was plastering iexplore.exe's all over the place I noticed that another file had emerged onto the screen before morphing into another iexplore.exe file. I only got a split second glimpse of a file that looked something like pl#$%.exe. I did a file search on my computer for all exe files starting with "PL" (pl*.exe). Found nothing at first and realized that I didn't have hidden files/folders checked. Started it again and found this particular file "plan real.exe". It was located at C:\Documents and Settings\All Users\Application Data\Dumb Pure Blind Support\Plan Real.exe.
I opened up regseeker v1.45 and went into startup entries and deleted the line item for this file, restarted the computer, surfed the internet without popups.
I then went to the Dumb Pure Blind Support folder and executed the Plan Real file just to make sure and the popups started again. Restarted the computer and deleted the folder and file. All appears to be in order.
I hope this is the answer for everyone.....I just got lucky.
 

Answer:Cid Popup Removal

Hi and welcome to TSG.

Happy you resolved your problem.
 

1 more replies
Relevance 47.97%
Question: Popup Removal

Tech Support Guy System Info Utility version 1.0.0.2 OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 64 bit Processor: Intel(R) Celeron(R) CPU B810 @ 1.60GHz, Intel64 Family 6 Model 42 Stepping 7 Processor Count: 2 RAM: 4030 Mb Graphics Card: Intel(R) HD Graphics Family, 1791 Mb Hard Drives: C: Total - 283488 MB, Free - 226154 MB; D: Total - 17358 MB, Free - 7606 MB; E: Total - 301 MB, Free - 261 MB; F: Total - 4085 MB, Free - 1160 MB; Motherboard: Hewlett-Packard, 167E Antivirus: avast! Antivirus, Updated and Enabled
 

Answer:Popup Removal

16 more replies
Relevance 47.97%

Here is my HJT Log:


Edit by bjgarrick: Unrequested, Inline HJT log removed!

 

Answer:Need help with Popup Removal

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support


Make sure you check version numbers and get all updates.
Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..
When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
CounterSpy
AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
Bitdefender - from step 6
Panda Scan - from step 6
runkeys.txt - the log from GetRunKey.bat
newfiles.txt - the log from ShowNew.bat
HijackThis
NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
 

11 more replies
Relevance 47.97%

I have tried running everything I can possibly run to keep this from happening. I am getting Winfixer 2005 popups on every window I open. I have run Ad Aware, Norton, the Auto Run "fixer". Nothing is working. Can anyone help?

Answer:Need Help with Popup removal

Other than Ad-aware, are you using these basic security programs?(They're all free.)a? free - a complementary product to antivirus software which is specialized in protection against harmful software. Antivirus software often features an inadequate protection against Trojans, Dialers and Spyware. a? fills this gap.Spybot S&D - Detects and removes spyware, of different types, from your computer.Spywareblaster - A good program that prevents spyware from being installed on your computer in the first place. This program is always running in the background, protecting your computer. It prevents the installation of bad active X controls found in web pages.SpywareGuard - A nice compliment to SpywareBlaster. This allows you the option to prevent downloads that contain bad active X controls.If not, you need to. These programs, updated and used regularly, will do a lot to keep your computer clean of spyware, trojans, keyloggers, browser hijackers, etc...Download them, update them, and then run them.Important:Please read this tutorial on Spybot S&D before using it. Spybot can do SERIOUS damage, if not used properly.If that doesn't help, then:Read How to post a HijackThis Log. Please read, and follow, all directions carefully.Then, run a log, and post it in the HJT forum, at this link. Do not, fix anything, yet.A member, of the HJT Team, will help you out.It may take a while to get a response, because the HJT Team are very busy. Please, be patient, these people are volunteers. They w... Read more

1 more replies
Relevance 47.97%
Question: Cid Popup Removal

hey, i've looked at other posts regarding this and it seems you have to run a hijack this log so heres mine below, please help there so annoying!Logfile of HijackThis v1.99.1Scan saved at 19:14:32, on 31/03/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16414)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\jre1.5.0_11\bin\jusched.exeC:\WINDOWS\system32\LVCOMSX.EXEC:\Program Files\Logitech\Video\LogiTray.exeC:\WINDOWS\SOUNDMAN.EXEC:\ATI-CPanel\atiptaxx.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Common Files\Mi... Read more

Answer:Cid Popup Removal

Hello Lizi My name is Rahina Rescue and I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

15 more replies